China has attacked critical infrastructure organizations in the US using a “living off the land” attack that hides offensive action among everyday Windows admin activity.
The attack was spotted by Microsoft and acknowledged by intelligence and infosec agencies from the Five Eyes nations – Australia, Canada, New Zealand, the UK and the US.
A joint cyber security advisory [PDF] from ten agencies describes “a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.”
Microsoft asserts the group has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States.
“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” the software giant’s threat intelligence team suggests.
The attackers use several tactics to access victim networks. CVE-2021-40539 – an authentication bypass in ManageEngine that’s been exploited since 2021 – is one way in. So is a flaw in FatPipe MPVPN device software that the FBI warned about in 2021.
Compromised SOHO-grade routers help, too. The Mimikatz tool, which often appears in news of cyber attacks, has been used by Volt Typhoon’s crew.
In Microsoft’s telling of the tale, Volt Typhoon uses command line tools to “collect data, including credentials from local and network systems.”
The gang places that info in a file it tries to exfiltrate, then uses stolen credentials to maintain a persistent presence in target networks.
“In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open source tools to establish a command and control channel over proxy to further stay under the radar,” Microsoft suggests.
The Five Eyes advisory points out that Windows makes these activities possible. “One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives,” the advisory states. “This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.”
PowerShell, wmic, ntdsutil, and netsh are among Volt Typhoon’s favorite tools.
That makes life hard for users because, as the advisory points out, “some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity.
“Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior. Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be differ across environments.”
There’s no single way to defend against Volt Typhoon. The advisory recommends six actions, namely:
- Hardening domain controllers and monitoring event logs, with a focus on watching ntdsutil.exe and similar process creations;
- Limiting port proxy usage within environments, and only enable them for the period of time in which they are required;
- Investigating unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify hosts that attackers may be using;
- Reviewing perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts;
- Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons; and
- Forwarding log files to a hardened centralized logging server, preferably on a segmented network.
News of Volt Typhoon’s alleged activities adds to the many allegations that China runs crews dedicated to attacking foreign governments and businesses. The US claims China is its most prolific online foe and employs 50 attackers for every stateside defender. China has countered with a claim the US is an “Empire of Hacking.”
While they bicker, Reg readers are left with the kind of defensive to-do list outlined above. ®